The sophistication of underground eCrime laid bare

The sophistication of underground eCrime laid blank

Shady hooded figure with lines of code representing a hacker and cybersecurity threat

(Image credit: TheDigitalArtist / Pixabay)

Sophisticated attacks such as Sunburst and Colonial Pipeline demonstrate the heightened threat landscape organizations are facing. CrowdStrike'due south 2021 Global Threat Written report showed that supply chain attacks, ransomware, data extortion and nation-state threats are more prolific and sophisticated than always. In fact, on the heels of unprecedented growth in eCrime over the by year, there is a hidden world of strength, volume and sophistication in the cybercriminal market that rivals the legitimate business earth for astute judgements, collaboration, adaptability and strategic direction.

About the author

Adam Meyers is the Senior Vice President of Intelligence at CrowdStrike.

Ransomware adversaries proliferated starting a few years dorsum and in 2020 the amount of ransomware cases we observed exploded. We saw cyber criminals take the opportunity provided past the pandemic to flex their muscles, and testify the honest world of business what sophisticated and corrupt eCrime looks like. CrowdStrike Intelligence observed a number of dramatic changes in targeted eCrime. CrowdStrike has labelled the eCrime groups as SPIDER as they are not affiliated with state-sponsored activeness. CARBON SPIDER shifted away from point-of-sale (POS) campaigns in favor of big game hunting (BGH) — ransomware campaigns targeting high-value targets. Ultimately, this led to the group introducing their ain ransomware, DarkSide. Established eCrime actors like MUMMY SPIDER, WIZARD SPIDER and CARBON SPIDER go on to drive innovation in the world of malware development. Over the yr, CrowdStrike Intelligence noted a rise in the utilize of open source obfuscation software and the targeting of virtualization environments pioneered by these adversaries including financial services, manufacturing and healthcare.

Ransomware: the 'go-to' threat

The eCrime ecosystem remains vast and interconnected - they are the underground mob families of the cyber earth. Access brokers have begun to play a pivotal part in the eCrime ecosystem, supporting those engaged in BGH ransomware. Access brokers are threat actors that gain backend access to various organizations and sell this access to other parties. This eliminates the need for criminals to spend time identifying targets and gaining access.

To take i example, TWISTED SPIDER's adoption of information extortion tactics was noted in late 2019 as a direction other eCrime actors might pursue to capitalize on ransomware infections. It proved a preview of what would become an explosion (without hyperbole) of such activity moving frontwards. These eCrime actors were especially attracted to the allure of BGH.

At the aforementioned time, BGH trends also disrupted traditional targeted eCrime behavior, as seen by threat actor CARBON SPIDER's shift away from targeting betoken-of-auction (POS) systems to bring together the successful BGH ranks.

Since BOSS SPIDER, the original BGH adversary, was identified in 2016, CrowdStrike Intelligence has observed both established criminal actors (like INDRIK SPIDER and Sorcerer SPIDER) and ransomware operators adopting and reimagining BGH tactics. Throughout 2020, BGH was a pervasive threat to all companies worldwide. CrowdStrike Intelligence identified at to the lowest degree 1,377 unique BGH infections.

Steal, ransom, leak

2020 saw a growing tendency for ransomware operators threatening to leak information from victims, and actively doing so. This tactic was likely intended to pressure victims to make payment, simply is also a response to improved cybersecurity practices by companies that could mitigate encryption of their files by recovering from backups.

What marks a departure from previous BGH operations and is truly unique most recent observed behavior is the accelerated adoption of information extortion techniques and the introduction of dedicated leak sites (DLSs) associated with specific ransomware groups. These approaches were adopted past at least 23 ransomware operators in 2020. BGH adversaries took different approaches to the release of data onto a DLS, with many staggering the release of victims' stolen data, to extend the likelihood of ransom deliveries. TWISTED SPIDER became the about adept at this technique, spacing out releases in percentages of the total exfiltrated dataset.

An alternative approach is to release the datasets in numbered parts, a technique preferred by RIDDLE SPIDER and VIKING SPIDER. CARBON SPIDER developed an automated system that displays a predetermined publication time ready by an automated countdown timer.

Less commonly observed is the release of data by blazon, where the adversary creates datasets for personally identifiable information (PII), financial records, sensitive company information, and information pertaining to partners and customers, and releases these at intervals.

For some victims with high make recognition, each release tin trigger renewed reporting on the incident, which is calculated to embarrass. VIKING SPIDER adopted this approach, as have affiliates of PINCHY SPIDER for some REvil victims. Whichever release method is chosen by the adversary, the intent is to increase force per unit area on the victim to pay upwardly.

BGH and healthcare targeting

In the years earlier 2020, nether 'normal operating weather condition', healthcare faced significant threats from criminal groups deploying ransomware. On the night of September 11th, a man died in a German infirmary that was under ransomware set on, an attack that acquired delays in critical care - although law eventually decided the attack did not amount to legal causation of this patient's death. Alongside the possibility that such attacks may well cause such terrible real world consequences, there is a secondary threat from ransomware operations that exfiltrate information prior to ransomware locking up systems.

Some tracked adversaries, like TWISTED SPIDER, VIKING SPIDER, GRACEFUL SPIDER and TRAVELING SPIDER publicly appear that they would avoid targeting frontline healthcare entities during the early pandemic. DOPPEL SPIDER said that any unintentional infections would be resolved without requiring payment.

Despite these proclamations, CrowdStrike Intelligence confirmed that 18 BGH ransomware families infected 104 healthcare organizations in 2020. The most prolific was TWISTED SPIDER using Maze, and Wizard SPIDER using Conti. Information technology appears that some adversaries proceeded to attack pharmaceutical and biomedical companies during the pandemic, regardless.

Know your gamble and plan accordingly

Understand the risk to your sector. Although most ransomware operations are opportunistic, Last year, CrowdStrike Intelligence identified the highest number of ransomware-associated information extortion operations in the industrial and engineering sector (229 incidents) and the manufacturing sector (228 incidents). Manufacturing is particularly vulnerable to ransomware operations where a disruption in day-to-24-hour interval operations tin create an enormous cost to the core business.

Look to vulnerable services. The consequential vulnerabilities observed throughout 2020 were characterized by relationships with internet-exposed remote services. These vulnerabilities are attractive considering they can grant initial admission to target networks. CrowdStrike Intelligence observed repeated exploitation of several dissimilar VPN services and web applications such as Microsoft SharePoint (come across CVE-2019-0604). These compromises enabled "exploit chaining" with other vulnerabilities for the purposes of privilege escalation and network pivoting.

Meet it, empathize information technology. Visibility and speed are critical for blocking attackers. This includes cloud environments, just as with on-premise systems. The combination of cloud-native technology and a unmarried, lightweight agent make CrowdStrike an effective and efficient solution without compromising speed or performance.

Create a civilisation of cybersecurity. While technology is critical in the fight to detect and stop intrusions, the user remains a crucial link in the concatenation to stop breaches. Awareness programs will help to gainsay the threat of phishing and related social applied science techniques.

Adam Meyers is the Senior Vice President of Intelligence at CrowdStrike.